Firewall Rules
Complete firewall configuration for the UniFi Gateway.
Current Rules (from Screenshots)
Section titled “Current Rules (from Screenshots)”| Name | Policy Type | Action | Protocol | Src. Zone | Source | Dst. Zone | Destination | Dst. Port |
|---|---|---|---|---|---|---|---|---|
| Translate Network Traffic to… | Masquerade NAT | Translate | All | - | zrh-default-v1, zrh-mgmt-v10 +4 | - | Any | Any |
| FW_ALLOW_ZRH-DC-ZRH-01_DNS_EGRESS | Masquerade NAT | Translate | All | - | zrh-default-v1, zrh-mgmt-v10 +3 | - | Any | Any |
| FW_ALLOW_ZRH-DC-ZRH-… | Firewall | Allow | TCP/UDP | Internal | 10.30.30.10 | External | 1.1.1.1, 8.8.8.8 | 53 |
| FW_DENY_ZRH-SRV-V30_I… | Firewall | Block | All | Internal | zrh-srv-v30 | External | Any | Any |
| Allow Neighbor Advertisement… | Firewall | Allow | ICMPv6 | External | Any | Gateway | Any | Any |
| Allow Neighbor Solicitations | Firewall | Allow | ICMPv6 | External | Any | Gateway | Any | Any |
| Allow Return Traffic | Firewall | Allow | All | Multiple | Any | Any | Any | Any |
| Allow WireGuard VPNs | Firewall | Allow | UDP | External | Any | Gateway | Any | 51820 |
| Allow mDNS | Firewall | Allow | UDP | Internal | Any | Gateway | 224.0.0.251, ff02::fb | 5353 |
| Block 10.1.1.0/24 Internet Ac… | Firewall | Block | All | Internal | 10.1.1.0/24 | External | Any | Any |
| Block Invalid Traffic | Firewall | Block | All | Multiple | Any | Multiple | Any | Any |
| Block QUIC | Firewall | Block | UDP | Internal | 10.40.40.0/22 | External | Any | 443 |
| Allow All Traffic | Firewall | Allow | All | Multiple | Any | Multiple | Any | Any |
| Block All Traffic | Firewall | Block | All | Multiple | Any | Multiple | Any | Any |
Key Security Rules Explained
Section titled “Key Security Rules Explained”FW_ALLOW_ZRH-DC-ZRH-01_DNS_EGRESS
Section titled “FW_ALLOW_ZRH-DC-ZRH-01_DNS_EGRESS”Allows Forest Root DC to reach external DNS for forwarding.
Source: 10.30.30.10 (srv-dc-zrh-01)Destination: 1.1.1.1, 8.8.8.8Protocol: TCP/UDPPort: 53Action: AllowPosition: BEFORE FW_DENY_ZRH-SRV-V30FW_DENY_ZRH-SRV-V30_Internet_EGRESS
Section titled “FW_DENY_ZRH-SRV-V30_Internet_EGRESS”Blocks all Server VLAN traffic to Internet (except explicit allows above).
Source: zrh-srv-v30 (entire VLAN 30)Destination: ExternalProtocol: AllAction: BlockBlock QUIC
Section titled “Block QUIC”Forces HTTPS inspection by blocking QUIC protocol from clients.
Source: 10.40.40.0/22 (Client VLAN)Destination: ExternalProtocol: UDPPort: 443Action: BlockRule Processing Order
Section titled “Rule Processing Order”In UniFi, rules are evaluated:
- Zone-to-Zone context selected first
- Rules within that context evaluated top-to-bottom
- First match wins
- Implicit deny at end
Important: Zone pairing is evaluated BEFORE individual rules!